Invalid response from web address so cannot validate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.titivillus.ca and titivillus.ca

I ran this command: sudo certbot --apache -d www.titivillus.ca -d titivillus.ca -v

It produced this output:
Challenge failed for domain www.titivillus.ca
http-01 challenge for Identifier(typ=IdentifierType(dns), value='titivillus.ca')
http-01 challenge for Identifier(typ=IdentifierType(dns), value='www.titivillus.ca')

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Identifier: titivillus.ca
Type: unauthorized
Detail: During secondary validation: 3.33.130.190: Invalid response from http://titivillus.ca/.well-known/acme-challenge/ov4uTujm2TpHb_Nfd25CbcN4Jg39Qg-bUvJZw3IkFNM: 403

My web server is (include version): Apache/2.4.58 (Ubuntu)

The operating system my web server runs on is (include version): LInux

My hosting provider, if applicable, is: Worldstream dedicated server

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 5.6.0

2

Some more information. I have been using CertBot happily on several other sites with no problem. So I cannot understand why it is not working on this site. Looking at the logs I see this line in the output for the sites I have got certificates for:
"validationRecord": [
{
"url": "http://textualcommunities.com/.well-known/acme-challenge/BJZXAZYLY86_-1OkyrIXu-DFFh1qZpGJPICLp3asTEc",
"hostname": "textualcommunities.com",
"port": "80",
"addressesResolved": [
"80.79.4.52"
],
"addressUsed": "80.79.4.52"
But when I try to generate the certificate for titivillus.ca I see this:
"validationRecord": [
{
"url": "http://www.titivillus.ca/.well-known/acme-challenge/V_bdWi2gJOkKJkSeXlIqBHCgO6G9ym_UPqSXBKqJ-ks",
"hostname": "www.titivillus.ca",
"port": "80",
"addressesResolved": [
"3.33.130.190",
"15.197.148.33",
"80.79.4.52"
],
"addressUsed": "3.33.130.190"
Where did these additional addressesResolved come from? and why is addressUsed set to some completely random server which I have nothing to do with?

3

Because there are DNS records pointing to that address:

 dan@MacBookPro  ~  dig www.titivillus.ca

; <<>> DiG 9.10.6 <<>> www.titivillus.ca
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55335
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.titivillus.ca.		IN	A

;; ANSWER SECTION:
www.titivillus.ca.	3600	IN	CNAME	titivillus.ca.
titivillus.ca.		600	IN	A	3.33.130.190
titivillus.ca.		600	IN	A	15.197.148.33
titivillus.ca.		600	IN	A	80.79.4.52

Each of your authoritative nameservers responds with all three of these A records. Once you fix your DNS records, you should be set.

4

Thank you! That is just weird. I did NOT set up those first two records. That address is with goDaddy. I'll check that and remove these unwatned A Dns records and report.

5

That looks like leftovers from setting up GoDaddy Domain Forwarding or the original parking page. Google uses AWS services for that and two of those IP are for AWS.

You should review this previous thread: I got This error - #6 by Geno11x11

6

Good news (mostly). I went to GoDaddy configuration. There was another active A record there: which curiously had a blank where the IP address should go. There were NO A records linking to the dubious 3.33.130.190 and 15.197.148.33 sites. Anyway: I eliminated the dubious empty A link. I checked with dig www.titivillus.ca and now I could only see my server IP. And lo! certbot worked and now I have a fully functioning https site.

I am still puzzled by what is going on inside GoDaddy. But hey. All good.